upd: allow signing of OCSP-Certs for internal use

- factor out checking for "own" organisation
- adding OCSP EKU to Simple Signer
- adding check for certificate "ocsp"-requirement
- allow Profile-Ids to be non-consecutive

diff --git a/src/org/cacert/gigi/api/CATSImport.java b/src/org/cacert/gigi/api/CATSImport.java
index 507a4a000f0e822134f38a400e16dc0576960385..b30658d6ecd484307d32b29c94347af068802e14 100644 (file)
--- a/src/org/cacert/gigi/api/CATSImport.java
+++ b/src/org/cacert/gigi/api/CATSImport.java
@@ -21,7 +21,7 @@ public class CATSImport extends APIPoint {
             resp.sendError(500, "Error, invalid cert");
             return;
         }
             resp.sendError(500, "Error, invalid cert");
             return;
         }

-        if ( !"CAcert".equals(((Organisation) u).getName())) {
+        if ( !((Organisation) u).isSelfOrganisation()) {

             resp.sendError(500, "Error, invalid cert");
             return;
 
             resp.sendError(500, "Error, invalid cert");
             return;
 

diff --git a/src/org/cacert/gigi/dbObjects/CertificateProfile.java b/src/org/cacert/gigi/dbObjects/CertificateProfile.java
index c31f6cbfa3449dbaebb4ceb2e7f2564765da2640..5704497986388f70123d5bf7230839bed85fde0d 100644 (file)
--- a/src/org/cacert/gigi/dbObjects/CertificateProfile.java
+++ b/src/org/cacert/gigi/dbObjects/CertificateProfile.java
@@ -263,6 +263,14 @@ public class CertificateProfile implements IdCachable {
                 if ( !actor.isInGroup(Group.CODESIGNING)) {
                     return false;
                 }
                 if ( !actor.isInGroup(Group.CODESIGNING)) {
                     return false;
                 }

+            } else if (s.equals("ocsp")) {
+                if ( !(owner instanceof Organisation)) {
+                    return false;
+                }
+                Organisation o = (Organisation) owner;
+                if ( !o.isSelfOrganisation()) {
+                    return false;
+                }

             } else {
                 return false;
             }
             } else {
                 return false;
             }

diff --git a/src/org/cacert/gigi/dbObjects/Organisation.java b/src/org/cacert/gigi/dbObjects/Organisation.java
index fa6ff1bee357d4ed52050e2226ad312f40b3bec3..66de62d9500d12a4e5c8b00fd5cdb59ed47dcf8f 100644 (file)
--- a/src/org/cacert/gigi/dbObjects/Organisation.java
+++ b/src/org/cacert/gigi/dbObjects/Organisation.java
@@ -217,4 +217,8 @@ public class Organisation extends CertificateOwner {
     public boolean isValidEmail(String email) {
         return isValidDomain(email.split("@", 2)[1]);
     }
     public boolean isValidEmail(String email) {
         return isValidDomain(email.split("@", 2)[1]);
     }

+
+    public boolean isSelfOrganisation() {
+        return "CAcert".equals(getName());
+    }

 }
 }

diff --git a/src/org/cacert/gigi/pages/account/certs/CertificateIssueForm.java b/src/org/cacert/gigi/pages/account/certs/CertificateIssueForm.java
index 5712190bcd8f84e66329637fd9644e1e78806abe..7774fd814ea8007b619df1c67d9c75216aff0232 100644 (file)
--- a/src/org/cacert/gigi/pages/account/certs/CertificateIssueForm.java
+++ b/src/org/cacert/gigi/pages/account/certs/CertificateIssueForm.java
@@ -152,16 +152,19 @@ public class CertificateIssueForm extends Form {
         vars2.put("hashs", new HashAlgorithms(cr.getSelectedDigest()));
         vars2.put("profiles", new IterableDataset() {
 
         vars2.put("hashs", new HashAlgorithms(cr.getSelectedDigest()));
         vars2.put("profiles", new IterableDataset() {
 

-            int i = 1;
+            CertificateProfile[] cps = CertificateProfile.getAll();
+
+            int i = 0;

 
             @Override
             public boolean next(Language l, Map<String, Object> vars) {
                 CertificateProfile cp;
                 do {
 
             @Override
             public boolean next(Language l, Map<String, Object> vars) {
                 CertificateProfile cp;
                 do {

-                    cp = CertificateProfile.getById(i++);
-                    if (cp == null) {
+                    if (i >= cps.length) {

                         return false;
                     }
                         return false;
                     }

+                    cp = cps[i];
+                    i++;

                 } while ( !cp.canBeIssuedBy(c.getTarget(), c.getActor()));
 
                 if (cp.getId() == cr.getProfile().getId()) {
                 } while ( !cp.canBeIssuedBy(c.getTarget(), c.getActor()));
 
                 if (cp.getId() == cr.getProfile().getId()) {

diff --git a/util-testing/org/cacert/gigi/util/SimpleSigner.java b/util-testing/org/cacert/gigi/util/SimpleSigner.java
index 970c719f468b222dfb9c7eec2b2fa39eb508d84d..d23b78bc6d83fd1f7a0c8a008183159b7403c882 100644 (file)
--- a/util-testing/org/cacert/gigi/util/SimpleSigner.java
+++ b/util-testing/org/cacert/gigi/util/SimpleSigner.java
@@ -494,6 +494,9 @@ public class SimpleSigner {
             case "emailProtection":
                 oid = new ObjectIdentifier("1.3.6.1.5.5.7.3.4");
                 break;
             case "emailProtection":
                 oid = new ObjectIdentifier("1.3.6.1.5.5.7.3.4");
                 break;

+            case "OCSPSigning":
+                oid = new ObjectIdentifier("1.3.6.1.5.5.7.3.9");
+                break;

 
             default:
                 throw new Error(name);
 
             default:
                 throw new Error(name);